Closed
Bug 1623166
Opened 4 years ago
Closed 3 years ago
Assertion failure: !mContent || !mContent->GetParentElement() || HTMLEditor::NodeIsBlockStatic(*mContent) || HTMLEditor::NodeIsBlockStatic(*mContent->GetParentElement()) || !mContent->GetParentElement()->IsEditable()
Categories
(Core :: DOM: Editor, defect, P5)
Tracking
()
RESOLVED
FIXED
93 Branch
People
(Reporter: jkratzer, Assigned: masayuki)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files, 3 obsolete files)
Testcase found while fuzzing mozilla-central revision 20200317-b9badd1ee675.
Assertion failure: !mContent || !mContent->GetParentElement() || HTMLEditor::NodeIsBlockStatic(*mContent) || HTMLEditor::NodeIsBlockStatic(*mContent->GetParentElement()) || !mContent->GetParentElement()->IsEditable(), at /builds/worker/checkouts/gecko/editor/libeditor/WSRunObject.h:188
rax = 0x000055adf2140380 rdx = 0x0000000000000000
rcx = 0x0000000000000b40 rbx = 0x00007ffe4aace440
rsi = 0x00007f610a408d55 rdi = 0x00007f6115ed8680
rbp = 0x00007ffe4aace240 rsp = 0x00007ffe4aace220
r8 = 0x00007f6115ed98b0 r9 = 0x00007f611703f780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007f60fb2cf160 r13 = 0x000000004aac0080
r14 = 0x0000000000000000 r15 = 0x00007ffe4aace458
rip = 0x00007f610664e839
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::WSScanResult::AssertIfInvalidData() const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.h:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|167|0x49
0|1|libxul.so|mozilla::WSScanResult::WSScanResult(mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::WSType)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.h:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|159|0x8
0|2|libxul.so|mozilla::WSScanResult mozilla::WSRunScanner::ScanNextVisibleNodeOrBlockBoundaryFrom<nsINode*, nsIContent*>(mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|636|0x1c
0|3|libxul.so|mozilla::WSScanResult mozilla::WSRunScanner::ScanNextVisibleNodeOrBlockBoundary<nsINode*, nsIContent*>(mozilla::HTMLEditor const&, mozilla::EditorDOMPointBase<nsINode*, nsIContent*> const&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/WSRunObject.h:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|383|0x13
0|4|libxul.so|mozilla::HTMLEditor::IsVisibleBRElement(nsINode*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|894|0x10b
0|5|libxul.so|mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > mozilla::HTMLEditor::GetCurrentHardLineEndPoint<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|7373|0xb
0|6|libxul.so|already_AddRefed<nsRange> mozilla::HTMLEditor::CreateRangeExtendedToHardLineStartAndEnd<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent>, nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >(mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> > const&, mozilla::EditSubAction)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|7598|0x8
0|7|libxul.so|mozilla::HTMLEditor::CreateRangeExtendedToHardLineStartAndEnd(mozilla::dom::AbstractRange const&, mozilla::EditSubAction)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|7565|0xd
0|8|libxul.so|mozilla::HTMLEditor::GetSelectionRangesExtendedToHardLineStartAndEnd(nsTArray<RefPtr<nsRange> >&, mozilla::EditSubAction)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|7455|0x11
0|9|libxul.so|mozilla::HTMLEditor::CollectEditTargetNodesInExtendedSelectionRanges(nsTArray<mozilla::OwningNonNull<nsIContent> >&, mozilla::EditSubAction, mozilla::HTMLEditor::CollectNonEditableNodes)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditor.h:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|1635|0xe
0|10|libxul.so|mozilla::ListElementSelectionState::ListElementSelectionState(mozilla::HTMLEditor&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditSubActionHandler.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|701|0x12
0|11|libxul.so|mozilla::GetListState|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|1334|0xf
0|12|libxul.so|mozilla::RemoveListCommand::IsCommandEnabled(mozilla::Command, mozilla::TextEditor*) const|hg:hg.mozilla.org/mozilla-central:editor/libeditor/HTMLEditorCommands.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|392|0x12
0|13|libxul.so|mozilla::EditorCommand::IsCommandEnabled(char const*, nsISupports*, bool*)|hg:hg.mozilla.org/mozilla-central:editor/libeditor/EditorCommands.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|41|0x46
0|14|libxul.so|nsControllerCommandTable::IsCommandEnabled(char const*, nsISupports*, bool*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsControllerCommandTable.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|90|0x9
0|15|libxul.so|nsBaseCommandController::IsCommandEnabled(char const*, bool*)|hg:hg.mozilla.org/mozilla-central:dom/commandhandler/nsBaseCommandController.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|86|0x19
0|16|libxul.so|nsWindowRoot::GetEnabledDisabledCommandsForControllers(nsIControllers*, nsTHashtable<nsCStringHashKey>&, nsTArray<nsTString<char> >&, nsTArray<nsTString<char> >&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsWindowRoot.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|289|0x10
0|17|libxul.so|nsWindowRoot::GetEnabledDisabledCommands(nsTArray<nsTString<char> >&, nsTArray<nsTString<char> >&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsWindowRoot.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|311|0x19
0|18|libxul.so|ChildCommandDispatcher::Run|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|6412|0x1d
0|19|libxul.so|nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|5441|0x9
0|20|libxul.so|nsContentUtils::AddScriptRunner(nsIRunnable*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|5447|0x35
0|21|libxul.so|nsGlobalWindowOuter::UpdateCommands(nsTSubstring<char16_t> const&, mozilla::dom::Selection*, short)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|6451|0x8
0|22|libxul.so|nsFocusManager::Focus(nsPIDOMWindowOuter*, mozilla::dom::Element*, unsigned int, bool, bool, bool, bool, nsIContent*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsFocusManager.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|2367|0x3a
0|23|libxul.so|nsFocusManager::WindowRaised(mozIDOMWindowProxy*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsFocusManager.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|719|0x2b
0|24|libxul.so|nsWebBrowser::FocusActivate()|hg:hg.mozilla.org/mozilla-central:toolkit/components/browser/nsWebBrowser.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|1277|0x8
0|25|libxul.so|mozilla::dom::BrowserChild::RecvActivate()|hg:hg.mozilla.org/mozilla-central:dom/ipc/BrowserChild.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|1500|0x5
0|26|libxul.so|mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:14765ffb4032ffdaf5ccd73d28a7177ad18ee1569ff997d51706920b1a804de663fb837fcf906a575550a2a6f41c06f1e3da36d4c6d3904199aba3d2100def56/ipc/ipdl/PContentChild.cpp:|11690|0xf
0|27|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|2187|0x6
0|28|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|2111|0xe
0|29|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|1959|0xb
0|30|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|1990|0xc
0|31|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|1220|0xe
0|32|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|481|0x11
0|33|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|87|0xa
0|34|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|315|0x19
0|35|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|290|0x8
0|36|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|137|0xd
0|37|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|926|0x6
0|38|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|237|0x5
0|39|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|315|0x19
0|40|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|290|0x8
0|41|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|761|0x8
0|42|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|56|0x14
0|43|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|303|0x13
0|44|libc-2.27.so||||0x21b97
0|45|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:b9badd1ee675c04bc946a6e3792cfd2f7c07a140|82|0x12
0|46|firefox-bin||||0x10b20
0|47|ld-2.27.so||||0x10733
0|48|libdl-2.27.so||||0x202d80
0|49|libpthread-2.27.so||||0x219bb0
0|50|firefox-bin||||0x10b20
0|51|firefox-bin|_start|||0x29
|
Reporter | |
Comment 1•4 years ago
|
||
|
|
Reporter | |
Updated•4 years ago
|
Summary: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/vr/VRServiceTest.cpp:465:32 in mozilla::dom::VRMockController::SetHapticCount(unsigned int) → Assertion failure: !mContent || !mContent->GetParentElement() || HTMLEditor::NodeIsBlockStatic(*mContent) || HTMLEditor::NodeIsBlockStatic(*mContent->GetParentElement()) || !mContent->GetParentElement()->IsEditable()
|
|
Reporter | |
Comment 2•4 years ago
|
||
Attachment #9133957 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 3•4 years ago
|
||
Attachment #9133959 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 4•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200317214918-7c83f04c82e9.
The bug appears to have been introduced in the following build range:
> Start: f3da8ae9d1a3e74cd273746da51a035ddc572bee (20200225214332)
> End: 7f41334e10443f4f1c7426e86fb0cb7adfdf4d62 (20200226092757)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f3da8ae9d1a3e74cd273746da51a035ddc572bee&tochange=7f41334e10443f4f1c7426e86fb0cb7adfdf4d62
|
||
Comment 5•4 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #4)
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200317214918-7c83f04c82e9.
The bug appears to have been introduced in the following build range:Start: f3da8ae9d1a3e74cd273746da51a035ddc572bee (20200225214332)
End: 7f41334e10443f4f1c7426e86fb0cb7adfdf4d62 (20200226092757)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f3da8ae9d1a3e74cd273746da51a035ddc572bee&tochange=7f41334e10443f4f1c7426e86fb0cb7adfdf4d62
As long as I look regression range, it seems to be bug 1616257's regression? Nakano-san, could you look this?
Flags: needinfo?(masayuki)
|
Assignee | |
Comment 6•4 years ago
|
||
Sure, looks like a simple bug of getting extended range.
Assignee: nobody → masayuki
Flags: needinfo?(masayuki)
|
|
Assignee | |
Updated•4 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P3
|
||
Comment 7•4 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
|
Assignee | |
Comment 8•4 years ago
|
||
Oddly, I cannot reproduce it without e10s, but it's hard to attach debugger for the tab loading local file...
|
|
Assignee | |
Comment 9•4 years ago
|
||
Sigh, this detects wrong design of WSRunScanner. Basically, WSRunScanner ignore non-editable contents (i.e., mNodeArray stores only editable text nodes), however, scanning methods do not check whether found node is editable or not. Therefore, WSScanResult detects irreconcilable case.
Unfortunately, fixing this is really risky. Put off to handle this later.
Assignee: masayuki → nobody
Status: ASSIGNED → NEW
Priority: P3 → P4
|
|
Reporter | |
Updated•4 years ago
|
Attachment #9133961 -
Attachment is obsolete: true
| Comment hidden (obsolete) |
|
|
Reporter | |
Updated•3 years ago
|
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected]
|
||
Comment 11•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210224215151-69be3221f49a.
Failed to bisect testcase (Testcase reproduces on start build!):
Start: 7a5cb26a2d518e9cfaf512ba9a06239b573d7f0e (20200227033937)
End: b9badd1ee675c04bc946a6e3792cfd2f7c07a140 (20200317093640)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
Whiteboard: [bugmon:bisected] → [bugmon:bisected,confirmed]
|
||
Comment 12•3 years ago
|
||
Masayuki, maybe we should not forget this entirely? Thanks!
Flags: needinfo?(masayuki)
See Also: → 1626002
|
|
Assignee | |
Comment 13•3 years ago
|
||
See comment 9, this is a code design issue of WSRunScanner. We should refactor it when we align how to treat white-space sequence to Blink or this becomes a serious bug for some major web apps.
Flags: needinfo?(masayuki)
|
|
||
Comment 14•3 years ago
|
||
Bugmon Analysis
The bug appears to have been fixed in the following build range:
Start: 8803bc71047a75f0983844d891d82b4a5edecda4 (20210310041823)
End: 10ca32d83c66663d73c0600ff90022e85f52b92b (20210310054241)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8803bc71047a75f0983844d891d82b4a5edecda4&tochange=10ca32d83c66663d73c0600ff90022e85f52b92b
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
Reporter | |
Comment 15•3 years ago
|
||
:masayuki, is it possible this was fixed in bug 1677566?
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 16•3 years ago
|
||
Yeah, I'll try to add the testcase into the tree.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
Priority: P4 → P5
|
|
Assignee | |
Comment 17•3 years ago
|
||
The test causes different assertion count between platforms. As the comment in
crashtests.list, the difference is whether "removeList" command enabled check
is run at getting focus or not. Perhaps, the difference is caused by whether
HTML commands are initialized before or after executing "indent" command.
Depends on D122479
|
|
||
Comment 18•3 years ago
|
||
:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(masayuki)
|
||
Comment 19•3 years ago
|
||
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/8436d9672a94 Add reported testcase into the tree r=m_kato
|
||
Comment 20•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox93:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch
|
||
Updated•3 years ago
|
status-firefox91:
--- → wontfix
status-firefox92:
--- → wontfix
status-firefox-esr78:
--- → wontfix
status-firefox-esr91:
--- → wontfix
Flags: in-testsuite+
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(masayuki)
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•